Research into the perfect password has determined that using a series of four unique, memorable words offers much greater security than a shorter password with letters, numbers and symbols.

Aldrin Brown, Editor-in-Chief

September 23, 2017

2 Min Read
Sticky Note with Password

A re-examination has been underway in recent years about the ideal structure for login passwords, the effectiveness of which is more important than ever in an age of ubiquitous cyber attacks.

The work was done at the National Institute of Standards and Technology (NIST), a division of the U.S. Department of Commerce charged with setting cyber security rules for non-military federal government agencies.

This summer, NIST researchers released Special Publication 800-63, which outlines new best practices dictating an end to frequent password changes, and a move away from pithy combinations of upper and lower-case letters, numbers and symbols.

Those guideline changes were thrust into the spotlight this week after former NIST manager Bill Burr – who created the original password standards in 2003 – said in a media interview that the previous approach was obsolete and based on inadequate information.

“Much of what I did I now regret,” the now-retired 72-year-old told The Wall Street Journal.

While NIST’s standards are only binding on employees of the covered federal agencies, they are often looked to and adopted by large and small businesses and other organizations as best practices.

The new guidelines suggest going away from passwords with rudimentary complexity restrictions like “MSPmentor2017!” which can be easily cracked by hackers and might offer the user a false sense of security.

Requiring that such passwords be changed regularly often encourages users to make the passwords too simple: think “MSPmentor2017!2,” with an integer at the end that can be increased by 1 each time the password needs to be updated.

In other cases, users will write their passwords down in insecure places.  

The new standards suggest organizations require unique but easy to remember words or phrases, of at least eight characters.

As part of that, the NIST best practices also call for organizations to do stringent validation of new passwords, using technology that rejects terms that mirror commonly used passwords.

Changing of passwords should be reserved for instances when there has been a known breach or after a specific threat.

Academic research into the ideal passwords has determined that using a series of four unique, memorable words offers much greater security than a shorter password with letters, numbers and symbols.

The Wall Street Journal cited a widely circulated cartoon in which creator Randall Munroe illustrated how it would take a computer 550 years to crack the password “correcthorsebatterystaple.”

By comparison, the password “Tr0ub4dor&3” could be cracked in just three days.


Send tips and news to [email protected].

Read more about:


About the Author(s)

Aldrin Brown

Editor-in-Chief, Penton

Veteran journalist Aldrin Brown comes to Penton Technology from Empire Digital Strategies, a business-to-business consulting firm that he founded that provides e-commerce, content and social media solutions to businesses, nonprofits and other organizations seeking to create or grow their digital presence.

Previously, Brown served as the Desert Bureau Chief for City News Service in Southern California and Regional Editor for Patch, AOL's network of local news sites. At Patch, he managed a staff of journalists and more than 30 hyper-local and business news and information websites throughout California. In addition to his work in technology and business, Brown was the city editor for The Sun, a daily newspaper based in San Bernardino, CA; the college sports editor at The Tennessean, Nashville, TN; and an investigative reporter at the Orange County Register, Santa Ana, CA.


Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like